By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
454,407 Members | 1,583 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 454,407 IT Pros & Developers. It's quick & easy.

Protecting unauthorized viewing of non-php files

P: n/a
Tom
My site requires users to log in. Each php page ensures the user has
been authentiated and will redirect to the login page if need be.
However the site
also has a directory of PDF files that should only be displayed to
authenticated
users. My problem is, a user that knows the pdf file name can simply
enter in
the URL for the pdf and apache will serve it up.

How can I protect assets like pdf files from being served when a user
has not
been authenticated ? I tried using an .htaccess file, but it prevents
apache
from serving the pdf even when the user has authenticated using the
login php
page. This seems like it should be easy to do...

-T

Jul 17 '05 #1
Share this Question
Share on Google+
4 Replies


P: n/a
*** Tom wrote/escribió (2 Jun 2005 09:27:15 -0700):
How can I protect assets like pdf files from being served when a user
has not been authenticated ?


You can only do that at web server level, and that's difficult to merge
with your current auth system.

I'd simply move PDF files out of web server root and link to a download
script which is not difficult to write.

Check header() and readfile().

--
-- Álvaro G. Vicario - Burgos, Spain
-- http://bits.demogracia.com - Mi sitio sobre programación web
-- Don't e-mail me your questions, post them to the group
--
Jul 17 '05 #2

P: n/a
Place the PDF outside of the web root and use readfile()
http://php.net/readfile function after verifying the user in a download
script, along with this, you should send the needed header()
http://php.net/header (filesize, type, forcing download if you wish,
etc).

-
DMacedo
http://www.Talk-PHP.com

Jul 17 '05 #3

P: n/a
2 thoughts if you don't have access to dirs outside the doc root:

1. put the pdf's in a database

2. use .htaccess in your pdf dir to make any http (i.e. browser)
access impossible:

<Limit GET, POST, PUT>
Order allow,deny
Allow from none
Deny from all
</Limit>

(not sure if the above code is correct, check please before using)

php will still be allowed to access the files via the server's
filesystem (because that's not affected by .htaccess), using for
instance readfile()

Jul 17 '05 #4

P: n/a
DMacedo wrote:
Place the PDF outside of the web root and use readfile()
http://php.net/readfile function after verifying the user in a
download script, along with this, you should send the needed header()
http://php.net/header (filesize, type, forcing download if you wish,
etc).


Additionaly, you can use mod_rewrite to rewrite urls to the script.

e.g. when using http://www.foo.com/download/index.php?f=bar.pdf, the
users save as... box wants to save the file 'index.php'

when you link to http://www.foo.com/download/bar.pdf and use some simple
rewrite rules to internally rewrite /download/bar.pdf to
/download/index.php?f=bar.pdf, the save as... box of the user wants to
save the file as 'bar.pdf'

Hans

--
"He who asks a question is a fool for five minutes;
he who does not ask a question remains a fool forever"
Jul 17 '05 #5

This discussion thread is closed

Replies have been disabled for this discussion.